LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-22-2008, 01:52 PM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Need help with basic Snort rule to dectect string in a web page


I have the rule:
alert ip any any -> any any (msg: "Test String"; flow: to_client,established; content:"teststring"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; sid: 2001351; rev:6

But it is not alerting went i bring up a test html page with "teststring" inside of it.

Thanks in advance!
 
Old 05-23-2008, 12:36 AM   #2
chakka.lokesh
Member
 
Registered: Mar 2008
Distribution: Ubuntu
Posts: 250

Rep: Reputation: 32
Quote:
alert ip any any -> any any (msg...
try changing the ip to tcp

alert tcp any any -> any any (msg...
 
Old 05-23-2008, 09:34 AM   #3
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Hmm, that didn't work. I even tried removing nocase; threshold: type threshold, track by_dst,count 5, seconds 360;

If you know how to do this see:
http://www.linuxquestions.org/questi...ritten-644285/
 
Old 05-26-2008, 04:05 PM   #4
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
ip will include all protocols including tcp, upd and icmp
 
Old 05-27-2008, 01:09 AM   #5
chakka.lokesh
Member
 
Registered: Mar 2008
Distribution: Ubuntu
Posts: 250

Rep: Reputation: 32
That protocol hierarchy is with respect to networks

but r u sure that when u mention ip, snort is going to check the payload of the inner level protocols like tcp, udp, icmp, http, ftp, smtp etc.........





.

Last edited by chakka.lokesh; 05-27-2008 at 05:05 AM.
 
Old 05-27-2008, 03:49 PM   #6
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by chakka.lokesh View Post
That protocol hierarchy is with respect to networks

but r u sure that when u mention ip, snort is going to check the payload of the inner level protocols like tcp, udp, icmp, http, ftp, smtp etc.........





.
Nope, I'm not sure

And I think you're right, its not checking the whole payload, it didn't check it with tcp either, and it won't let me use http:
snort[17134]: FATAL ERROR: /etc/snort/rules/creditcard.rules(14) => Bad protocol: http

Any ideas?
 
Old 05-28-2008, 12:33 AM   #7
chakka.lokesh
Member
 
Registered: Mar 2008
Distribution: Ubuntu
Posts: 250

Rep: Reputation: 32
alert tcp any any -> any any (msg:"test string"; flow:established; content:"test string"; nocase; sid:2001315; rev:1;)



try this rule. copy and paste it as it is. DO NOT do any changes. let us see what it does.

Last edited by chakka.lokesh; 05-28-2008 at 01:06 AM.
 
Old 05-28-2008, 09:26 AM   #8
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Didn't work, I even tried a rule for asdf and make a .html page containing only asdf, not even <html>

I think this has to do something with the http_inspect or stream5 preprocessors in the snort.conf file.

This is what I have:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } \
oversize_dir_length 500 \
flow_depth 0

Do I need to add something to tell it to reassemble packets with stream5 both ways on port 80?
 
Old 08-20-2008, 12:42 AM   #9
chakka.lokesh
Member
 
Registered: Mar 2008
Distribution: Ubuntu
Posts: 250

Rep: Reputation: 32
yesterday, I got one idea. I am not sure whether it works or not.
but try this.

In the attack responses file, see the rule with sid:498.

there u replace the content "uid=0|28|root|29|" with "test string"

observe what snort is doing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Rewrite rule with query string in the pattern string basahkuyup Linux - Newbie 2 10-17-2006 03:06 AM
Help with my snort rule set PixelCloud Linux - Security 1 07-17-2004 02:35 PM
W32/Sober-B worm snort rule????? netmon Linux - Security 1 12-18-2003 03:57 PM
snort rule update script netmon Linux - General 1 10-03-2003 07:31 PM
Snort, test rule, XST unSpawn Linux - Security 0 01-22-2003 07:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration